From 9262a24abc417c95edf9147146a901608457e0bb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E9=A5=BA=E5=AD=90w=20=28Yumechi=29?=
 <35571479+eternal-flame-AD@users.noreply.github.com>
Date: Fri, 19 Sep 2025 04:43:09 -0500
Subject: [PATCH] feat: refine AutoCert logic (#843)

* feat: refine AutoCert logic

Signed-off-by: eternal-flame-AD <yume@yumechi.jp>

* add a configurable name to the roundtripper

Signed-off-by: eternal-flame-AD <yume@yumechi.jp>
---
 config.example.yml |  4 ++++
 config/config.go   |  9 +++++----
 runner/runner.go   | 41 ++++++++++++++++++++++++++++++++++++++---
 3 files changed, 47 insertions(+), 7 deletions(-)

diff --git a/config.example.yml b/config.example.yml
index 46350d6..393e9ea 100644
--- a/config.example.yml
+++ b/config.example.yml
@@ -17,6 +17,10 @@ server:
       enabled: false # if the certificate should be requested from letsencrypt
       accepttos: false # if you accept the tos from letsencrypt
       cache: data/certs # the directory of the cache from letsencrypt
+      directoryurl: # override the directory url of the ACME server
+                    # Let's Encrypt highly recommend testing against their staging environment before using their production environment.
+                    # Staging server has high rate limits for testing and debugging, issued certificates are not valid
+                    # example: https://acme-staging-v02.api.letsencrypt.org/directory
       hosts: # the hosts for which letsencrypt should request certificates
 #      - mydomain.tld
 #      - myotherdomain.tld
diff --git a/config/config.go b/config/config.go
index 5248930..32bd788 100644
--- a/config/config.go
+++ b/config/config.go
@@ -23,10 +23,11 @@ type Configuration struct {
 			CertFile        string `default:""`
 			CertKey         string `default:""`
 			LetsEncrypt     struct {
-				Enabled   bool   `default:"false"`
-				AcceptTOS bool   `default:"false"`
-				Cache     string `default:"data/certs"`
-				Hosts     []string
+				Enabled      bool   `default:"false"`
+				AcceptTOS    bool   `default:"false"`
+				Cache        string `default:"data/certs"`
+				DirectoryURL string `default:""`
+				Hosts        []string
 			}
 		}
 		ResponseHeaders map[string]string
diff --git a/runner/runner.go b/runner/runner.go
index 4ddf199..f985a6c 100644
--- a/runner/runner.go
+++ b/runner/runner.go
@@ -2,8 +2,8 @@ package runner
 
 import (
 	"context"
-	"crypto/tls"
 	"fmt"
+	"log"
 	"net"
 	"net/http"
 	"os"
@@ -13,6 +13,7 @@ import (
 	"time"
 
 	"github.com/gotify/server/v2/config"
+	"golang.org/x/crypto/acme"
 	"golang.org/x/crypto/acme/autocert"
 )
 
@@ -31,6 +32,8 @@ func Run(router http.Handler, conf *config.Configuration) error {
 	if conf.Server.SSL.Enabled {
 		if conf.Server.SSL.LetsEncrypt.Enabled {
 			applyLetsEncrypt(s, conf)
+		} else if conf.Server.SSL.CertFile == "" || conf.Server.SSL.CertKey == "" {
+			log.Fatalln("CertFile and CertKey must be set to use HTTPS when LetsEncrypt is disabled, please set GOTIFY_SERVER_SSL_CERTFILE and GOTIFY_SERVER_SSL_CERTKEY")
 		}
 
 		httpsListener, err := startListening("TLS connection", conf.Server.SSL.ListenAddr, conf.Server.SSL.Port, conf.Server.KeepAlivePeriodSeconds)
@@ -94,12 +97,44 @@ func getNetworkAndAddr(listenAddr string, port int) (string, string) {
 	return "tcp", fmt.Sprintf("%s:%d", listenAddr, port)
 }
 
+type LoggingRoundTripper struct {
+	Name         string
+	RoundTripper http.RoundTripper
+}
+
+func (l *LoggingRoundTripper) RoundTrip(r *http.Request) (resp *http.Response, err error) {
+	resp, err = l.RoundTripper.RoundTrip(r)
+	if resp.StatusCode == 429 {
+		log.Printf("%s Rate Limited: Retry-After %s on %s %s\n", l.Name, resp.Header.Get("Retry-After"), r.Method, r.URL.String())
+	} else if resp.StatusCode >= 400 {
+		log.Printf("%s Request Failed: Unexpected status code %d on %s %s\n", l.Name, resp.StatusCode, r.Method, r.URL.String())
+	} else if err != nil {
+		log.Printf("%s Request Failed: %s on %s %s\n", l.Name, err.Error(), r.Method, r.URL.String())
+	}
+	return
+}
+
 func applyLetsEncrypt(s *http.Server, conf *config.Configuration) {
+	httpClient := &http.Client{
+		Transport: &LoggingRoundTripper{Name: "Let's Encrypt", RoundTripper: http.DefaultTransport},
+		Timeout:   60 * time.Second,
+	}
+
+	acmeClient := &acme.Client{
+		HTTPClient:   httpClient,
+		DirectoryURL: conf.Server.SSL.LetsEncrypt.DirectoryURL,
+	}
 	certManager := autocert.Manager{
-		Prompt:     func(tosURL string) bool { return conf.Server.SSL.LetsEncrypt.AcceptTOS },
+		Client: acmeClient,
+		Prompt: func(tosURL string) bool {
+			if !conf.Server.SSL.LetsEncrypt.AcceptTOS {
+				log.Fatalf("Let's Encrypt TOS must be accepted to use Let's Encrypt, please acknowledge TOS at %s and set GOTIFY_SERVER_SSL_LETSENCRYPT_ACCEPTTOS=true\n", tosURL)
+			}
+			return true
+		},
 		HostPolicy: autocert.HostWhitelist(conf.Server.SSL.LetsEncrypt.Hosts...),
 		Cache:      autocert.DirCache(conf.Server.SSL.LetsEncrypt.Cache),
 	}
 	s.Handler = certManager.HTTPHandler(s.Handler)
-	s.TLSConfig = &tls.Config{GetCertificate: certManager.GetCertificate}
+	s.TLSConfig = certManager.TLSConfig()
 }